/*
 * Copyright 2020-2023 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.springframework.security.oauth2.server.authorization.web.authentication;

import java.util.HashMap;
import java.util.Map;

import jakarta.servlet.http.HttpServletRequest;

import org.springframework.lang.Nullable;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
import org.springframework.security.oauth2.core.endpoint.PkceParameterNames;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.web.OAuth2ClientAuthenticationFilter;
import org.springframework.security.web.authentication.AuthenticationConverter;
import org.springframework.util.MultiValueMap;
import org.springframework.util.StringUtils;

/**
 * Attempts to extract the parameters from {@link HttpServletRequest}
 * used for authenticating public clients using Proof Key for Code Exchange (PKCE).
 *
 * @author Joe Grandja
 * @since 0.0.2
 * @see AuthenticationConverter
 * @see OAuth2ClientAuthenticationToken
 * @see OAuth2ClientAuthenticationFilter
 * @see <a target="_blank" href="https://tools.ietf.org/html/rfc7636">Proof Key for Code Exchange by OAuth Public Clients</a>
 */
public final class PublicClientAuthenticationConverter implements AuthenticationConverter {

	@Nullable
	@Override
	public Authentication convert(HttpServletRequest request) {
		// 请求必须是授权请求且含有授权码且参数中必须包含code_verifier参数信息 否则的话返回null，
		// 该转化器为最后一个，如果其返回null，那么就会直接执行一下个过滤器，也就意味这对客户端不做任何校验 也就是说认证模式为none时客户端不做认证直接跳过执行下一个过滤器
		// 除非授权码模式下增加了KPCE，请求参数中包含code_verifier信息 其会对code_verifier的真伪进行校验 此时none认证模式顺带会对clientId进行校验，但是clientSecreat不做校验
		// 不过需要注意的是该版本的springSecurity再客户端认证模式为none的时候会自动帮我们拼接code_verifier字段，所以none认证方式会对clientId进行校验
		if (!OAuth2EndpointUtils.matchesPkceTokenRequest(request)) {
			return null;
		}
		//获取参数信息
		MultiValueMap<String, String> parameters = OAuth2EndpointUtils.getParameters(request);

		// client_id (REQUIRED for public clients)
		//对client_id进行校验，为null或者含有多个异常抛出
		String clientId = parameters.getFirst(OAuth2ParameterNames.CLIENT_ID);
		if (!StringUtils.hasText(clientId) ||
				parameters.get(OAuth2ParameterNames.CLIENT_ID).size() != 1) {
			throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_REQUEST);
		}

		// code_verifier (REQUIRED)
		// 请求参数code_verifier必须是一个，否则异常抛出
		if (parameters.get(PkceParameterNames.CODE_VERIFIER).size() != 1) {
			throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_REQUEST);
		}
		//请求参数中将client_id移除
		parameters.remove(OAuth2ParameterNames.CLIENT_ID);

		Map<String, Object> additionalParameters = new HashMap<>();
		parameters.forEach((key, value) ->
				additionalParameters.put(key, (value.size() == 1) ? value.get(0) : value.toArray(new String[0])));
		//返回一个未认证的OAuth2ClientAuthenticationToken对象
		return new OAuth2ClientAuthenticationToken(clientId, ClientAuthenticationMethod.NONE, null,
				additionalParameters);
	}
}
